directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Howard Chu <...@symas.com>
Subject Re: [jira] Created: (DIRSERVER-1169) Access control don't apply to the rootDSE
Date Tue, 06 May 2008 13:40:46 GMT
Alex Karasulu wrote:
> No need to quote the RFC with me, I know that it can be subject to
> access control - read my question. You know of situations when it is
> actually set to anything but read-only by everyone?

There are cases where MacOS admins remove access to the 
supportedSASLMechanisms attribute, to prevent the clients from attempting SASL 
Binds. I don't recall all the reasons behind it, but suffice to say it's 
mostly just a bandaid over a buggy SASL implementation.

You may also want to hide certain values from the 
supportedControls/supportedExtensions attributes, so that only particularly 
authenticated clients can see certain controls. (And furthermore you may want 
to prevent these controls/extensions from being used by various users...)

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Mime
View raw message